WordPress Plugin Vulnerabilities

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy < 3.3.7 - Unauthenticated Private Post Title Disclosure

Description

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.

Affects Plugins

Plugin icon
easy-digital-downloads
Fixed in 3.3.7

References

CVE
CVE-2025-2252
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9e0e3b81-55fe-46b2-bae1-d7321d74c485

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Françoa Taffarel
Verified
No
WPVDB ID
8ca5a4aa-b4c1-4849-9058-e63b148e2227

Timeline

Publicly Published
2025-03-24 (about 1 year ago)
Added
2025-03-24 (about 1 year ago)
Last Updated
2025-03-25 (about 1 year ago)

Other

Published
Title
Published
2024-04-11
Title
Citadela Listing <= 5.18.1 - Unauthenticated Sensitive Information Exposure
Published
2025-07-23
Title
AI Engine < 2.9.5 - Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions
Published
2023-12-29
Title
Everest Backup < 2.2.0 - Sensitive Information Exposure via Log File
Published
2022-06-17
Title
GiveWP < 2.21.0 - Donor Information Disclosure
Published
2026-06-09
Title
Fluent Booking < 2.1.2 - Calendar Manager+ Sensitive Information Disclosure via Attendee Export